CWE · MITRE source
CWE-345Insufficient Verification of Data Authenticity
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Last updated: 04 July 2026 08:17 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 39 mapping(s) from 10 framework(s): ATT&CK 16 (mostly) · CAPEC 12 (partial) · STIG oracle linux 8 2 (mostly) · STIG rhel 7 2 (mostly) · STIG rhel 8 2 (mostly) · CSF 2.0 1 (mostly) · ASVS 5.0 1 (mostly) · STIG oracle linux 9 1 (mostly) · STIG rhel 9 1 (mostly) · OWASP-Web 1 (mostly)
OWASP Top 10 for Web (2025)
This weakness contributes to A08:2025 Software or Data Integrity Failures.
NIST 800-53 r5 controls that address this weakness (9)AI
Showing the 7 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-17 | Public Key Infrastructure Certificates | SC | Use of approved PKI certificates provides verifiable data authenticity and origin for communications and artifacts. |
SC-20 | Secure Name/Address Resolution Service (Authoritative Source) | SC | Mandates provision of authenticity and integrity artifacts that enable verification of name/address resolution data. |
SC-21 | Secure Name/Address Resolution Service (Recursive or Caching Resolver) | SC | Requires explicit verification of data authenticity from authoritative sources, preventing acceptance of unauthenticated resolution responses. |
SR-4 | Provenance | SR | Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history. |
SR-9 | Tamper Resistance and Detection | SR | The control implements verification mechanisms that detect tampering by ensuring data authenticity. |
PT-8 | Computer Matching Requirements | PT | Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources. |
SI-7 | Software, Firmware, and Information Integrity | SI | Mandates verification of data authenticity for software, firmware, and information. |
Show 2 more broadly-applicable controls
SC-33 | Transmission Preparation Integrity | SC | Control requires verification of data authenticity/integrity (e.g., checksums) after aggregation/packing, directly reducing exploitation of insufficient verification before transmission. |
SC-45 | System Time Synchronization | SC | Time synchronization supports reliable freshness verification when checking data authenticity across systems or components. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2022-26871 KEV | 10.0 | 9.8 | 0.1963 | 2022-03-29 |
CVE-2023-38831 KEV | 10.0 | 7.8 | 0.9780 | 2023-08-23 |
CVE-2016-4553 | 8.0 | 8.6 | 0.7997 | 2016-05-10 |
CVE-2015-6853 | 7.0 | 9.1 | 0.0150 | 2016-03-24 |
CVE-2015-6854 | 7.0 | 9.1 | 0.0150 | 2016-03-24 |
CVE-2017-3198 | 7.0 | 9.8 | 0.0160 | 2018-07-09 |
CVE-2015-3956 | 7.0 | 9.8 | 0.0095 | 2019-03-25 |
CVE-2018-19971 | 7.0 | 9.8 | 0.0303 | 2019-04-16 |
CVE-2019-11235 | 7.0 | 9.8 | 0.0357 | 2019-04-22 |
CVE-2019-6695 | 7.0 | 9.8 | 0.0077 | 2019-08-23 |
CVE-2019-18835 | 7.0 | 9.8 | 0.0086 | 2019-11-08 |
CVE-2019-2289 | 7.0 | 9.8 | 0.0061 | 2019-11-21 |
CVE-2013-2167 | 7.0 | 9.8 | 0.0170 | 2019-12-10 |
CVE-2019-5613 | 7.0 | 9.8 | 0.0058 | 2020-02-18 |
CVE-2016-1000004 | 7.0 | 9.8 | 0.0068 | 2020-02-19 |
CVE-2019-12510 | 7.0 | 9.1 | 0.0071 | 2020-02-24 |
CVE-2019-5161 | 7.0 | 9.1 | 0.0251 | 2020-03-11 |
CVE-2019-20530 | 7.0 | 9.8 | 0.0042 | 2020-03-24 |
CVE-2020-7487 | 7.0 | 9.8 | 0.0067 | 2020-04-22 |
CVE-2020-9141 | 7.0 | 9.1 | 0.0036 | 2021-01-13 |
CVE-2020-26547 | 7.0 | 9.8 | 0.0055 | 2021-02-01 |
CVE-2020-28900 | 7.0 | 9.8 | 0.0236 | 2021-05-24 |
CVE-2021-37421 | 7.0 | 9.8 | 0.0249 | 2021-08-30 |
CVE-2020-24672 | 7.0 | 9.8 | 0.0054 | 2021-09-08 |
CVE-2021-43616 | 7.0 | 9.0 | 0.0253 | 2021-11-13 |